WSM User Guide - WatchGuard Technologies

CHAPTER 7Logging and NotificationAn event is one activity that occurs at the Firebox®. For example, denying a packet from going throughthe Firebox is an event. Logging is the recording of these events to a log host. A notification is a messagesent to the administrator by the Firebox when an event occurs that is a possible security threat. Notificationcan be an e-mail or a pop-up window, or sent by way of an SMTP trap.For example, WatchGuard® recommends that you configure default packet handling to send a notificationwhen the Firebox finds a port space probe. When this occurs, the log host sends notification to thenetwork security administrator about the rejected packets. The network security administrator canexamine the log files and make decisions about how to add more security to the organization’s network.Some possible changes are:• Block the ports on which the probe was used• Block the IP address that is sending the packets• Tell the ISP through which the packets are being sentLogging and notification are important to a good network security policy. Together, they make it possibleto monitor your network security, identify attacks and attackers, and address security threats andchallenges.You can install the Log Server on the computer you are using as a management station. Or, you caninstall the Log Server software on a different computer using the WatchGuard System Manager installationprogram and selecting to install only the Log Server component. You can also add additional LogServers for backup.NoteIf you install the Management Server, Log Server, or WebBlocker Server on a computer with a firewallother than Windows Firewall, you must open the ports necessary for the servers to connect through thefirewall. Windows Firewall users do not have to change their configuration. See “Installing WatchGuardServers on computers with desktop firewalls” on page 20 for more information.User Guide 81